The transfer of personal data out of the European Union is subject to a detailed regulatory regime in Regulation 2016/679 (“the GDPR”), and may be permitted on a number of different bases. The most straightforward basis is where the European Commission has made a finding of adequacy under Article 45. In the absence of such a finding, transfers may be made on the basis of appropriate safeguards, including standard data protection clauses drafted by the Commission and adopted as a binding contract between the data exporter (in the EU) and the data importer (in the third country): Article 46(3)(c).
In Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd & Schrems (judgment of 16 July 2020), the CJEU considered the validity under the GDPR and the Charter of the standard data protection clauses and the Privacy Shield adequacy decision adopted in respect of the United States of America.
The CJEU struck down the Privacy Shield decision, holding that US law failed to limit the potential access to transferred data of its national security agencies through their surveillance programmes to what was strictly necessary and proportionate. Data subjects were not provided sufficient rights to take action against the US Government in US courts, and the Ombudsperson mechanism created for the Privacy Shield was insufficiently independent and unable to adopt binding decisions. The CJEU refused to stay the effect of its decision. Transfers of personal data to the USA on the basis of the Privacy Shield decision are, accordingly, unlawful under the GDPR.
However, the CJEU upheld the validity of the standard clauses and gave a detailed defence of their contractual mechanisms to protect the rights of data subjects, through the obligations placed on both the exporter and importer of the data. Transfers on the basis of standard clauses remain valid, and the CJEU accepted that the generic nature of the clauses could not be invalidated by reference to concerns about the laws of one particular third State. However, the CJEU emphasised the responsibility of data exporters to confirm for themselves that use of the standard clauses would in fact provide an adequate level of protection for data subjects in the context in which they were used, and emphasised the obligation on supervisory authorities to suspend or prohibit transfers under such clauses to third States for which the clauses would not provide an adequate level of protection.
The Schrems II decision of the CJEU is a major data protection judgment, and has huge practical importance to all controllers engaged in any form of international transfers of personal data. It will also have significant implications for the data protection regime applicable in and to the United Kingdom following the end of the implementation period.
The judgment can be read here.
Christopher Knight acted for the UK Government, led by Josh Holmes QC for the written observations and unled at the hearing.